Tweet
Is it safe to remove 'unsafe-eval' from CSP?
-
-
Hi Emmker,
as far as I know, removing unsafe-eval (and unsafe-inline) is safer, but it may break JS functions like eval() and JS constructors like Function().
In other words, the unsafe-eval directive allows the 'creation' of methods from strings, so it potentially opens the door to code injection attacks, but removing it may break some JS functions (if in the code)
In the past I was forced to insert the unsafe-eval and unsafe-inline directives in the Apache VirtualHost because otherwise the web-app did not work correctly.
-
So, removing the 'unsafe-eval' is not an option here as I understand.
yuri
I do not want to disable CSP all together.
I just have a request from my client to remove 'unsafe-eval' and add base-uri/object-src.
Is that possible or will it break espo functions?Last edited by Emmker; 05-17-2025, 08:26 AM.Comment
-
I encourage to figure out by locking into code. It's been really hard for me to address multiple questions and resolving many issues on daily basis. The product would have been better if I haven't spent a big part of a day answering questions. Open source implies that everyone can look into code and figure out.If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.Comment
-
Sorry, I misunderstood a bit. If you remove, the application won't work. Often large web apps rely on apis that the unsafe-eval enables. We use it to for dynamic loading of modules and libs. Considering Espo is extensible in runtime, not sure if we can get rid of the unsafe-eval parameter soon.Last edited by yuri; 05-19-2025, 12:55 PM.If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.Comment
Comment